Apple to terminate developers who collect, sell user data without consent

Apple has updated the Legal section of its App Store rulebook to include new guidelines for members of the iOS Developer Program. iOS developers who collect or sell personal data to a third party without clear, express consent from their users will be banished from the Apple developer community, and the App Store implicitly.

Cybersecurity Live - Boston

Apple’s new legal terms come on the heels of the EU’s General Data Protection Regulation that kicked into gear last month, affecting any global business that collects or processes personally identifiable information (PII) of EU citizens.

The GDPR’s Data Minimization and Anonymization principles, as well as the so-called Right to Be Forgotten, oblige companies to limit the collection of personally identifiable information (PII) to the absolute minimum needed for the service or app to work properly.

In that respect, Apple is now demanding that developers adhere to a new set of data collection guidelines. Some highlights:

  • All apps must include a link to their privacy policy in an easily accessible manner
  • Explicitly identify what data, if any, the app/service collects, how it collects it, and all the uses of that data
  • Confirm that any third party with whom an app shares user data provides equal protection of user data as stated in the app’s privacy policy
  • Describe how a user can revoke consent and/or request deletion of the user’s data
  • Apps that collect user or usage data must secure user consent for the collection
  • Ensure the purpose strings clearly and completely describe the use of the data
  • Apps must respect the user’s permission settings and not attempt to manipulate, trick, or force people to consent to unnecessary data access (i.e. don’t ask for microphone access if the app only wants to post to social media)
  • Don’t ask the user to sign up / sign in if the app doesn’t include significant account-based functionality
  • The app must include a way to revoke social network credentials and disable data access between the app and social network from within the app
  • Unless otherwise permitted by law, developers may not use, transmit, or share someone’s personal data without first obtaining their permission
  • Apps should not attempt to surreptitiously build a user profile based on collected data
  • Developers must not use information from Contacts, Photos, or other APIs that access user data to build a contact database for their own use or for sale/distribution to third parties

These are just some of the key new requirements for iOS developers doing business in the App Store. The guidelines also clarify that developers who use their apps to surreptitiously discover passwords or other private data will be removed from the Developer Program. The same goes for app sellers who share user data with third parties without obtaining clear, express consent from end users.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at:

API Poll

Step 1 of 5

Do you have an API security project in 2022?